- The malspam campaign relied on a mailing list managed by Central Tibetan Administration (CTA).
- ExileRAT shared the same command-and-control (C2) server that was used by LuckyCat trojan earlier.
A new malspam campaign has been found targeting the Tibetan government-in-exile. This campaign apparently targets a mailing list managed by CTA. In the spam email, a malicious PowerPoint attachment named ‘Tibet-was-never-a-part-of-China.ppsx’ contains scripts to download ExileRAT into systems.
According to Cisco Talos who discovered this campaign, ExileRAT was found using shared resources for its operations.
The emails were sent to everyone who subscribed to CTA’s mailing list. DearMail, an Indian bulk-mail service provider is believed to have maintained the mailing list.
In the email, the body contains a message referencing the 60th anniversary of the exile of Tibetan guru Dalai Lama. A PowerPoint document attached at the end is actually a PDF copy of the book Tibet Was Never A Part Of China, where a part of ExileRAT script is hidden.